OpenSSL

Basic stuff

  • Check a certificate

openssl x509 -in <cert_file> -noout
  • Show a certificates properties

openssl x509 -in <cert_file> -noout -text
  • Show expiry date of cert

openssl x509 -in <cert_file> -noout -enddate
  • Generate a certificate request (CSR)

openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out cert.pem
  • Generate CSR with existing key

openssl req -new -key key.pem -out cert.pem
  • Generate a self signed cert

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
  • Check a private key

openssl rsa -in <key_file> -check
  • Check that private key matches certificate (both hashes must match)

openssl rsa -noout -modulus -in /etc/pki/tls/private/my-private.key | openssl sha512
openssl x509 -noout -modulus -in /etc/pki/tls/certs/my-cert.pem | openssl sha512
  • Check cert signature with CA cert

openssl verify -CAfile ca.pem client.pem
  • Remove password from a private key

openssl rsa -in <key_file> -out <key_file>
  • Test an SSL port

openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0
  • Convert PFX (IIS) to PEM

openssl pkcs12 -in mycert.pfx -out mycert.pem
  • View the details of a certificate revocation list (CRL)

openssl crl -in filename.crl  -noout -text
  • Verify a cert and check crl

openssl verify -crl_check -CApath /etc/ssl/certs cert.pem

Build your own CA

openssl genrsa -aes256 -out ca.key 4096
openssl req -x509 -new -key ca.key -days 1825 -out ca-root.crt -sha512
  • Create a new key and certificate signing request

openssl genrsa -aes256  -out client.key 4096
openssl req -new -key client.key -out client.csr
  • Sign the CSR

openssl x509 -req -days 365 -in client.csr -CA ca-root.crt -CAkey ca.key -CAcreateserial -out client.crt

Usage of CA.pl

  • Build your own CA

/usr/lib/ssl/misc/CA.pl -newca

on Arch Linux /etc/ssl/misc/CA.pl
  • Create a new certificate

/usr/lib/ssl/misc/CA.pl -newcert
  • Sign a certificate

/usr/lib/ssl/misc/CA.pl -sign

More CA stuff

  • Create a Certificate Revocation List (CRL)

openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
  • Revoke a certificate

openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
openssl crl -in crl_file -noout -text

Java keystore

  • How to convert a PEM cert and RSA key to PKCS12 and import it into a java keystore

openssl pkcs12 -export -in mycert.pem -inkey my.key -out mycert.pkcs12
keytool -importkeystore -deststorepass mypassword -destkeystore keystore.jks -srckeystore mycert.pkcs12 -srcstorepass mypassword
  • add -ext san=dns:www.example.com for alternative names

Generate random bytes

openssl rand <nr_of_bytes>